Stay on the Right Side of the Law.
State and Federal laws require a range of schedules and degrees of security for the storage and destruction of certain business records. At BiS, we stay current with legislation to ensure your compliance. We make sure your documents are stored securely and for the legally mandated time periods, and are destroyed at the appropriate times via the proper methods.
Current Legislation You Should Be Aware of:
Fair and Accurate Credit Transactions Act (FACTA)
FACTA helps consumers fight identity theft. Accuracy; privacy; limits on information sharing; and new consumer rights to disclosure are included in FACTA. Companies that maintain consumer information (individually identifiable financial information) must take responsibility for properly disposing of this information through shredding or other means.
Gramm/Leach/Bliley Act (GLBA, G/L/B, or G-L-B)
The Gramm-Leach-Bliley Act allowed commercial banks, investment banks, securities firms, and insurance companies to consolidate.
The Gramm-Leach-Bliley Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. (The Safeguards Rule applies to information of any consumers past or present of the financial institution’s products or services.) This plan must include:
- Denoting at least one employee to manage the safeguards.
- Constructing a thorough [risk management] on each department handling the nonpublic information.
- Develop, monitor, and test a program to secure the information.
- Change the safeguards as needed with the changes in how information is collected, stored, and used.
For more information visit The Gramm-Leach Bliley Act.
Health Information Technology for Economic and Clinical Health Act (HITECH)
The HITECH Act requires health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information has been breached. HITECH was passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).
For more information visit Understanding HIPAA for Covered Entities.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA protects patient health information. The HIPAA Privacy Rule does not include medical record retention requirements because State laws generally govern how long medical records are to be retained. However, the rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected private health information for whatever period such information is maintained by a covered entity, including through disposal.
The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information. Changes in HIPAA made in 2009 require more extensive policies and procedures than was previously the case.
Information is available concerning HIPAA Compliance at Understanding HIPAA for Covered Entities.
Lilly Ledbetter Fair Pay Act
This legislation is an amendment to the Civil Rights Act of 1964, passed as a result of the U.S. Supreme Court’s decision in Ledbetter vs. Goodyear Tire & Rubber Co. It restarts the 180-day statute of limitations for complaints to Equal Employment Opportunity Commission (EEOC) alleging pay discrimination each time a new “discriminatory” paycheck is issued. Retroactively effective to May 28, 2007, the Act holds that discriminatory pay decisions reoccur each time wages, benefits, or other compensation are paid. Therefore the 180-day time period (300 days if charges are also covered by state or local anti-discrimination laws) for employees to file EEOC charges against their employers is restarted each time employees are paid.
For the complete Act visit The Lilly Ledbetter Fair Pay Act.
Payment Card Industry Data Security Standard (PCI)
PCI is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The standard helps organizations that process card payments to prevent credit card fraud through increased controls around data and its exposure to compromise. It applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.
To find out more about PCI compliance visit the PCI Security Standards Council.
Red Flags Rule
The FTC Red Flags Rule requires many businesses and organizations to write and implement an Identity Theft Prevention Program designed to detect and identify identity theft in their day-to-day operations. “The Rule requires ‘financial institutions’ and ‘creditors’ that hold consumer accounts designed to permit multiple payments or transactions — or any other account for which there is a reasonably foreseeable risk of identity theft — to develop and implement an Identity Theft Prevention Program for new and existing accounts.” To be in compliance, affected businesses and organizations must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft.
You can find complete details here: Are you complying with the Red Flags Rule?
Sarbanes-Oxley Act of 2002 (SARBOX or SOX)
SOX eliminates the “I didn’t know” defense for management.Because it mandates management’s periodic duty to accurately report the state of the entity, accurate records must be kept to document management’s understanding of that state.
Compliance is required for audits and reviews completed on or after October 31, 2003.
Accounting firms must retain, for seven years, certain records relevant to their audits and reviews of issuers’ financial statements. Records to be retained include an accounting firm’s work papers and certain other documents that contain conclusions, opinions, analyses, or financial data related to the audit or review.
For more information, go to Final Rule: Sarbanes-Oxley Act of 2002.
Uniform Electronic Transactions Act (UETA)
All but three states (New York, Illinois, Washington) have adopted this law. The states that have not adopted the UETA have their own laws relating to the legal status of electronic records.
You can see a copy of the complete Act here.
BiS will keep your document management on the right side of the law!